STE WILLIAMS

We’ve been dabbling with commercial computing for well over half a century, but we’re still making the same mistakes. One of the biggest howlers is hard-coding passwords directly into our computer and networking systems for hackers to find. Just this month, it happened again.

Schneider Electric, which makes supervisory control and data acquisition (SCADA) equipment, has been shipping products with passwords embedded in the firmware, revealed researchers from German firm OpenSource Security. They found that not only was the password for the Schneider ModiconTM221CE16R logic controller hard-coded into the firmware, but that it could not be changed.

The password in question is a decryption key used to open a project file on the system. The hard-coded encryption key is “SoMachineBasicSoMachineBasicSoMa”, and cannot be changed. By decrypting the XML file with the key, the user password can be found in the decrypted data, which then allows attackers to modify the system.

The researchers finally went public with the information on April 4, after trying to contact Schneider Electric about it. In response, the vendor sent a mea culpa statement to SC Magazine UK, admitting that they messed up, and promising to do better.

What were they thinking?

Insecurities in SCADA systems are bad enough, because they are industrial control systems that keep serious pieces of critical national infrastructure running, ranging from water treatment plants to agricultural systems. These aren’t the kind of things that you want to be vulnerable, and yet hard-coded passwords are a common problem in that world. Siemens has been caught putting hardwired passwords into its own controllers more than once.

Hard-coded passwords also crop up in other products.

Routers are common targets for attack because vendors won’t learn from each others’ mistakes. US-CERT warned that droves of them were discovered to have hard-coded passwords in 2015,

This month, Cisco found that its Mobility Express Software, which ships with some of its Aironet wireless access points, has an admin-level FSH password hard-coded.

Lenovo included the password 12345678 into the Android and Windows versions of its SHAREit file sharing app, and in a clear entry into the “what were they thinking” category, researchers found hard-coded passwords in around 300 medical devices across approximately 40 vendors. This stuff is rampant.

Why do people hard-code passwords in the first place? One reason is that manufacturers just aren’t very good at customizing equipment rolling off the production line. Burning the same thing into every device makes them easier to manage.

Another is that it makes the development process easier. Developers will often need shared access to certain system resources such as internal databases when developing a product, and they’ll frequently embed the access passwords directly in their code to make authentication easier. They always mean to change it later, of course, but it’s often not a priority.

Unfortunately, while all these things make it easier for the vendor, it also makes them easier to hack.

So what’s the answer? One potential solution, according to OWASP, is to use a “first login” mode that requires the user to enter a unique strong password.

This would be a great example of security by design – the concept of designing systems from the ground up with security in mind, rather than bolting it on later as an afterthought. It carries its own challenges, though: what if the user forgets their password? In that case, a factory reset would get them back to first-login mode, presumably.

Hard-coded passwords won’t always be visible to users. They’re buried in the source code, but can still be found by a malicious actor with motivation and the appropriate tools. So what can companies do to try and protect themselves?

Having a word with the vendor is a good place to start. Asking them how easy it would be for the company to recover the device for you in the event of a lost password can reveal whether hard-coded passwords are a known feature. Simply asking the company straight out to confirm that it doesn’t use these things is also a strategy.

However, there is always the chance that the vendor simply may not know about the vulnerability. Trust no one.

Segmenting equipment inside your organization is important, so that if someone gets access to a system, they won’t be able to move laterally without a lot of extra work and other system compromises. Use different subnets, and harden individual systems against attack.

None of this will completely eliminate the risk – in cybersecurity, nothing ever does – but it will at least reduce it.

Follow @NakedSecurity
Follow @DannyBradbury

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qGiz1lAfhzc/

Short-term loan company Wonga has just announced a data breach.

According to reports, personal information of approximately 250,000 customers in the UK and 25,000 in Poland was plundered.

Companies like Wonga are generally referred to as “payday loan providers” because customers typically borrow small amounts at high interest rates for short periods, for example to cover an unexpected expense until payday.

Despite the short-term nature of payday loans, you still need to hand over plenty of personally identifiable information, as with any account you open, including your name, address, phone number, bank account number and credit card details.

And, as with any company that operates online these days, you need to create an online account, too, which means coming up with a strong and unique password for that account.

Wonga has creditably put a very visible notice on the main page of its website, linking through to an FAQ page:

If you’ve ever used Wonga, we recommend reading the FAQ even if you didn’t receive an email from the company, just so you’re aware of what is known so far.

If you were one of the unlucky customers whose data was stolen, the silver lining is that the crooks only seem to have got at a subset of all the data Wonga knows about you:

• Name.
• Email address.
• Residential address.
• Phone number.
• Bank account number and sort code.
• Last four digits of card number.

As galling as it is to have this data disclosed by someone else, none of the items above are quite enough on their own for a crook to defraud you directly.

For example, in the UK, your address is effectively a matter of public record thanks to the electoral register, and many companies and sole traders openly publish their bank account numbers on every invoice to make it easy to get paid.

But stolen databases like this one are nevertheless valuable to cybercrooks, because having all those data points conveniently collected together is gold dust for scammers and social engineers.

It makes it easier for someone with the gift of the gab to convince your bank, your employer or your friends that they know you really well, or that they are acting on your behalf, or even that they are you.

It also gives those self-same scammers a way to persuade you to divulge more about yourself, for example by contacting you and pretending to be someone investigating the breach.

LEARN MORE ABOUT SCAMMERS: The scam that knows your name and home address ►

Worse still, if you chose your password unwisely, for example by basing it on information associated with the account so that the password was easier to remember, it’s now easier for cybercrooks to guess.

(Wonga seems pretty certain that no password-specific data was stolen outright, whether encrypted or not.)

What to do?

• If you have an easy-to-guess password on your Wonga account, go and change it, because it’s now even weaker than before.

While you’re about it, change your other online passwords too, after watching our video on How to Pick a Proper Password.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

• Keep an eye on your Wonga account and any transactions in and out of any bank accounts that you shared with Wonga.

In Wonga’s words, “We will be alerting financial institutions about this issue and any individuals impacted as soon as possible, but we recommend that you also contact your bank and ask them to look out for any suspicious activity.”

• If someone contacts you by phone or email to discuss the Wonga breach, don’t act on any information they give you.

Hang up the phone, as you would with a technical support scammer (or delete the email, as you would with unsolicited attachments) and contact Wonga directly using contact details you figured out for yourself.

In Wonga’s words, “Beware of scammers or unusual online activity. Be cautious of anyone who calls you and asks you to disclose any personal information regardless of where they say they are from. If this happens, we recommend that you hang up.”

As we like to say here on Naked Security, if in doubt, don’t give it out.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_eg6j5a3zbc/

In its 2017 malware forecast, SophosLabs warned that attackers would increasingly target devices connected to the Internet of Things (IoT) – everything from webcams to internet-connecting household appliances. Late last week, we saw another example of how the trend is playing out.

Security vendor Radware warned that malware called BrickerBot is in the wild, designed to brick IoT devices by damaging their storage capability and scrambling kernel parameters. The company detected two versions of the malware in its honeypot servers – BrickerBot.1 and BrickerBot.2. The first attacks were detected March 20, targeting Linux-based IoT devices running the BusyBox toolkit. The honeypot recorded 1,895 PDoS (Permanent Denial of Service) attempts by BrickerBot from several locations around the world over four days.

To block the attack, Radware recommended users:

• Change the device’s factory default credentials.
• Disable Telnet access to the device.
• Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
• User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
• An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.

The rising tide of IoT threats

Such IoT threats are something SophosLabs has warned about for the last several months. IoT threats had been discussed for years in largely theoretical terms, but the theoretical turned into reality last October when Mirai malware was used to hijack internet-facing webcams and other devices into massive botnets that were then used to launch a coordinated assault against Dyn, one of several companies hosting the the Domain Name System (DNS). That attack crippled such major sites as Twitter, Paypal, Netflix and Reddit.

The rise of IoT attacks led SophosLab’s 2017 malware forecast, and BrickerBot’s taste for Linux-based devices is consistent with the report’s findings.

The frequency and complexity of Linux malware rose throughout 2016. One malware sample described in the report was built to evade AV detection with consistent static updates, encrypted/obfuscated strings and even some rudimentary UPX packer hacking.

SophosLabs noticed one family that was far more active than any of the others – Linux/ DDoS-BI, also known as Gayfgt – which spread by simply scanning over large IP blocks attempting to bruteforce SSH. It targeted low-hanging fruit such as any device that has a factory/default password. (Note how in the defensive measures for BrickerBot above, the first recommendation is to change the factory-set password.)

Governments are worried

The IoT threat has steadily moved up the list of concerns among government bodies. Last month, Britain’s National Cyber Security Centre (NCSC), which opened last month, joined with the National Crime Agency in the UK to warn people about Internet of Things devices.

In the US, the worries prompted the Federal Trade Commission (FTC) to launch a competition challenging the public to create a technical solution that would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software in IoT devices. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords. The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s).

Winners will be announced on or about July 27. The submission deadline is May 22 at noon eastern time.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1_Mae5UBAzo/

Last week, Canada’s Mounties admitted for the first time that just like US police, they use stingrays – suitcase-sized cell site simulators that mimic a cell tower and trick nearby phones (as in everybody’s phones, not just crooks’) into connecting and giving up their identifying information and location.

Granted, it’s not exactly like the way tower dumps are used in the US, given that the Royal Canadian Mounted Police (RCMP) are reportedly pretty scrupulous about getting warrants first. The RCMP did, however, admit to using the devices for years without permission, which it only got two months ago.

The admission comes after revelations that somebody or somebodies has turned the tables on the RCMP: a CBC News investigation has found that the devices have been planted at Montreal’s Trudeau airport.

Somebody’s also been using International Mobile Subscriber Identity (IMSI) catchers in the area around Parliament Hill in Ottawa.

Earlier in the month, public safety minister Ralph Goodale had denied that the spying is being done by any Canadian agency. The RCMP and Canadian Security Intelligence Service (CSIS) have launched an investigation into who might be responsible.

The devices were discovered during a months-long investigation, when reporters from CBC News and Radio-Canada used a device called a CryptoPhone to detect the use of the IMSI catchers. From the German company GMSK, the CryptoPhone looks just like a regular cellphone.

The CryptoPhone picked up on stingrays in use at locations around Parliament Hill, including the nearby Byward Market, the Rideau Centre shopping mall and CBC offices in downtown Ottawa.

CBC reports that the IMSI catchers have a radius of about half a kilometre in an urban setting. That means that the devices that they detected could snoop on cellphones used around Parliament Hill, the prime minister’s office in Langevin Block, National Defence headquarters, as well as the US and Israeli embassies.

Last week, in the wake of news reports about the discovery, the RCMP for the first time lifted the curtain on its own use of the technology.

During a news briefing Jeff Adam, chief of technical investigations services, told reporters that while he isn’t “personally aware” of foreign agencies using the technology in Canada, “I can’t rule that out.” His office tracks all RCMP use of these devices.

The RCMP itself owns 10 stingrays, also known as Mobile Device Identifiers (MDIs). These things sell for around $400,000 each.

The RCMP said it’s used these “vital tools” scores of times to identify and track mobile devices: in 19 criminal investigations last year, and in 24 investigations in 2015, CBC News reported.

The only time police didn’t get a warrant before using the MDIs was an “exigent” circumstance – for example, an emergency situation “such as a kidnapping,” Adam said.

Some of these devices enable eavesdropping on phone calls and direct interception of text messages. Such invasive versions of the devices are illegal in Canada. Adams said that the devices used by the RCMP have software that blocks them from collecting anything beyond a mobile device’s identification number and its location:

What the RCMP technology does not do is collect private communication.

In other words, it does not collect voice and audio communications, email messages, text messages, contact lists, images, encryption keys or basic subscriber information.

CBC News and Radio-Canada reporters wanted to figure out who might be using the MDIs they detected around Parliament Hill, so they asked the supplier of the CryptoPhone – ESD America – to analyze what they found.

After ESD America looked over the configurations, CEO and co-founder Les Goldsmith told them that he believes the IMSI catchers detected in Ottawa could be foreign made:

We’re seeing more IMSI catchers with different configurations and we can build a signature. So we’re seeing IMSI catchers that are more likely Chinese, Russian, Israeli and so forth.

An expert in Canadian security who requested anonymity in order to protect his ongoing work said that the use of IMSI catchers, particularly given their placement adjacent to government offices, is very disturbing:

That an MP or a person who works on Parliament Hill could be exposed, that they could be a victim of this type of attack – it undermines our sovereignty.

He also said that Russian intelligence has been found eavesdropping near Canada’s intelligence outfit in the past:

We learned that Russian intelligence was parked near CSIS with equipment on board to do IMSI catching. After X number of days or weeks, they’re capable of identifying the IMSI numbers that belong to intelligence officers because the phones were spending eight hours a day in the same spot.

The Russian and Chinese embassies have vehemently rejected allegations that they might be behind the snooping. Israel has said it doesn’t know anything about it, and the US has declined comment.

Although last week’s admission to law enforcement’s use of stingrays was unprecedented, it’s been known since at least last June that the RCMP uses them. That’s when a court opened up documents in the case of the death of a high-ranking member of a New York crime family who’d been killed outside Montreal. It turned out that police were using IMSI catcher technology to investigate the 2011 death of the mob member, Salvatore (Sal the Ironworker) Montagna.

In the US, the Department of Justice told US law enforcement in 2015 that it had to get a warrant to use stingrays.

But the federal guidelines had a hole big enough to drive a police cruiser through. Namely, they didn’t apply to local law enforcement.

In September, a coalition of civil liberties organizations including the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU) and the National Association for the Advancement of Colored People (NAACP) launched an effort to rein in surveillance that it says has run amok, be it by excessive use of stingrays or other surveillance technologies.

The coalition’s movement is also called #TakeCTRL. It’s focused on passing ordinances to control surveillance in 11 cities. That goes beyond stingrays: US law enforcement has for years been buying gunshot-detection sensors, license plate readers, and tools to enable data-mining of social media posts for criminal activity and tracking of toll payments when drivers use electronic passes. Texas police have purchased at least one drone.

Follow @NakedSecurity
Follow @LisaVaas

Image courtesy of Darlene Munro / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0qvmYggnc_A/

Every few months, the person or group calling itself Shadow Brokers surfaces with a new claim of dumped NSA hacking tools, leaving us to wonder if they are in the business of satire. Its statements are rambling and often hard to verify, and they are, as Naked Security’s Paul Ducklin once put it, “pseudo-semi-literate”.

Still, in an age where entities like WikiLeaks regularly spill sensitive information on government hacking capabilities, it’s difficult to ignore the likes of Shadow Brokers altogether. With that, there’s another claim from the group to report on:

Shadow Brokers resurfaced Saturday and posted the password to an encrypted file cache believed to be components of a toolkit tied to the National Security Agency’s alleged Equation Group hacking campaign.

In its new message, the group cites frustration with US President Donald Trump as motivation for its latest activities:

TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.

After a very long list of reasons Trump has disappointed them, the group said, “Be considering this our form of protest” before releasing the password.

With the password, it appears anyone can unlock the data dump from last year. (Motherboard confirmed that the password did decrypt the original auction file).

In August 2016, Shadow Brokers claimed that it penetrated the NSA and made off with “cyberweapons” worth more than $500m. They dumped a few files for sampling, with the claim that the files they were keeping back to sell were “better than Stuxnet“.

It then set up an auction to sell off the alleged cyberweapons, the structure of which Naked Security deemed as “absurd” at the time because:

• The winning bid would buy the stash of cyberweapons and Shadow Brokers would keep the money;
• All losing bids would be forfeited and Shadow Brokers would keep the money;
• If the total bids reached BTC 1,000,000, everyone would receive all the cyberweapons for free and Shadow Brokers would keep the money; and so on.

We also noted that one million bitcoins was close to $600m back in August 2016.

So what will that password unlock? Apparently not the entire archive of Equation Group tools. Ars Technica said:

The archive, which the Shadow Brokers previously attempted to auction off, contains just over 300MB of files. It does not appear to contain the entire archive of Equation Group tools. Many of the tools apparently date back to the 1990s, targeting platforms like the Digital Equipment Corp., Alpha, Sun Solaris 2, the defunct Chinese Red Flag Linux, and other older Linux distributions. Other tools are apparently focused on telecom targets, including tools for getting into GSM cellular networks and breaking DES encryption.

It’s worth noting that the group’s auction was unsuccessful, and was ultimately called off in January.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jnE0capDs2E/

Customers visiting the video gaming website may have had financial data stolen between Sept. 2016 and Feb. 2017.

The website of American video game company GameStop may have been hacked between September 2016 and February 2017 and customer financial details stolen, KrebsOnSecurity reports. The company admitted to carrying out a probe after being alerted that “payment card data from cards used on the GameStop.com website was being offered for sale on a website.”

Sources said hackers may have stolen customers’ names, addresses, payment card numbers, and CVV2 codes, the report said. Malware is likely to have been used on the company’s site to siphon the data. There are no reports of GameStop retail stores been affected.

The company has asked customers to monitor payment card account statements for discrepancies.

Read details on KrebsOnSecurity.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/gamestop-probes-hack-of-customer-payment-data-/d/d-id/1328594?_mc=RSS_DR_EDT

Yevgeniy Nikulin is wanted in the US for breaches involving LinkedIn Corp, Dropbox, and Formspring.

The Prague Municipal Court is expected to soon hold a hearing on the extradition requests of Russian citizen Yevgeniy Nikulin by both the US and Russia in connection with alleged hack cases, Reuters reports. Nikulin was arrested in Prague last year by Czech authorities with assistance from the FBI.

The Russian had been indicted by a US jury last October for hacking social media companies LinkedIn Corp, Dropbox, and Formspring. He is also wanted by Russia in connection with a $3,450 online theft case in 2009.

The LinkedIn breach that occurred in 2012 was reported to have impacted 100 million users.

Read more on Reuters.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/extradition-hearing-expected-soon-for-alleged-linkedin-dropbox-hacker-/d/d-id/1328593?_mc=RSS_DR_EDT

Security leaders need to show they provide more than stop-the-bad guys services. Here’s how.

At the beginning of March 2017, a third-party platform launched that promises to be a bidirectional clearinghouse to improve the security industry’s approach to third-party risk management. Called CyberGRX, the company says it will dramatically alleviate what is now a manual, spreadsheet-driven process of vendors being inefficiently assessed by customers. It will allow security teams for both companies and customers to focus on protecting their respective businesses.

The existence of CyberGRX and other new services signals a movement in the security community. It’s a clear confirmation that security is now a fundamental business issue and a potential growth advantage — and that security executives must take the lead in convening the business and having discussions about how security becomes a strategic lever.

[Check out Roland Cloutier’s session, Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage, at Interop ITX on May 17.]

And more often, security execs have the floor. The massive amount of cyberattacks, exploits, and cybercrime have made it clear that every company will be affected by a security issue. Security officers no longer have to waste time legitimizing security as a business risk; they should be the lead executives who provide the insightful information and details on business impact that business leaders need to make sound decisions.

This is the moment that security professionals must change the view of security from a defensive “stop the bad guys” function to a strategic lever that is critical to sustain and drive the business. This “Business Operations Protection” mentality has been simmering for a long time within the security community, and there are three things its leaders must do make sure this mindset is accepted by the C-suite and board of directors. 

1. Know the state of security.
Security leaders are being heard, but how did we get here? In other words, what resonated with your C-suite and board in the first place to give you a seat at the table? There are three main trends:

• More volume and velocity of cyber incidents. In 2016, more than 4.2 billion records were breached in 4,149 separate incidents globally. What are the trends in your industry and against your business, and how are you proactively defending your organization from these threats?
• More dramatic and objective business impact. In recent years, security attacks have been measured against things that align with business impact: consumer confidence, business reputation, and rising costs are a few popular metrics. For example, in 2015, British insurance company Lloyd’s of London estimated that cyberattacks cost businesses as much as $400 billion a year, including direct costs plus residual post-attack business effects. In what way can probable events affect your business, your clients, or your go-to-market objectives?
• Greater accountability to be secure and report as such. Other companies in your ecosystem — such as suppliers, distributors, customers, competitors, government agencies and so on — are also more aware of the risks of cyber incidents than they used to be, so we’re seeing more reporting and compliance-like regulatory measures appear. Not complying comes with its own potential costs and penalties. Examples include General Data Protection Regulation in Europe, or New York State Department of Financial Services regulations, and all include implications for the theft of personally identifiable information, payment data, and personal health information, as well as the costs of credit monitoring and notifying customers.

2. Language to talk to business leadership.
Security leaders are great at understanding the business at a technical level, as well as bad guys and residual risk measurements. On the other hand, they’re often not as well-versed in how to talk about the security function’s goals in a way that resonates with business. By merging performance indicators with the impact that security has on them, defining clear alignment to the company’s strategic imperatives, and creating a road map for security, risk, and privacy efforts that accelerate the success of company goals, business leadership will be able to listen, understand, and support the security team’s mission.

To accomplish this, you should be armed to discuss:  

• Strong metrics around how breaches affect the business. For example, figures around cost per incident and the impact on your company’s profitability, or the number of incidents caused by employees, technology, or external influences, and the resulting hours of downtime to enterprise systems.
• The less-quantifiable effects resulting from security attacks. For example, the reputational impact on your company, client wins, and losses, due to security features, or client satisfaction and promoter scores after an incident. 
• How security services, projects, and programs provide foundational capabilities that are necessary to deliver or accelerate strategic corporate imperatives.

3. Become an expert in the business.
In talking security, what can get lost is what it’s all for. In other words, security leaders must know end-to-end how their business designs, builds, delivers, and supports the products or services it takes to market.

Some of the key questions to ask:

• How do we make money? What is our profitability model? Is it on repetitive business? Is it on net new clients? 
• What does the network of organizations impacting my business look like? Who does business on my behalf? What type of information and technology are exchanged? What supplies my organization so that it can deliver services?
• What is my intellectual property and why does it matter to my business?

To drive security as a business, at ADP we have a process called value chain risk assessment. We look at our business model and map out the value chain. Because we have multiple businesses within the larger ADP, we have a team called business security officers, whose mission is to understand how our business is designed and delivered so that we’re constructing our security services in a way that serves and supports what we do.

It’s almost too obvious to say, but security is a fundamental driver of business and competition. The businesses that win will be those with security leaders who know how to leverage it. 

Related Content:

• Banks Must Focus More on Cyber-Risk
• How Identity Deception Increases the Success of Ransomware
• Prioritizing Threats: Why Most Companies Get It Wrong

As the chief security officer of ADP, Roland Cloutier works to protect and secure one of the world’s largest providers of business outsourcing solutions. His expertise includes managing converged security and business protection programs.
Roland has functional and … View Full Bio

Article source: http://www.darkreading.com/careers-and-people/setting-up-security-as-a-business-3-best-practices-for-security-execs/a/d-id/1328582?_mc=RSS_DR_EDT

For months, Uber drivers have been scratching their heads over “upfront pricing”.

The scheme is supposed to make clear to riders, before they even step foot in the car, how much they’ll wind up paying. When a rider uses Uber’s app to hail a ride, the app shows an estimate of what they’ll be charged.

But according to a proposed class action lawsuit, the fare shown to some riders is based on a longer, slower, and hence more expensive route than the one drivers see and are paid for.

Uber pockets “the difference charged to the User and the fare reported to the driver, in addition to the service fee and booking fee disclosed to drivers,” according to the suit.

Uber’s done it intentionally, the suit alleges, by devising a “clever and sophisticated” scheme to manipulate the navigation data used to determine upfront rider fare prices while secretly short-changing the driver.

From the suit, filed in Los Angeles on April 3:

The software utilized in determining the upfront price is specifically designed to provide a route distance and time estimate based on traffic conditions and other variables but not to determine the shortest/quickest reasonable route based on those conditions.

Meanwhile, the software utilized in the driver’s application, which navigates the driver’s to the User’s destination, utilizes traffic conditions and other variables to provide the driver with a more efficient, shorter, or quicker route to the User’s destination, resulting in a lower fare payout to the driver.

The suit is on behalf of Uber driver Sophano Van and tens of thousands of other drivers in the US. It claims that Uber concocted and implemented the upfront pricing plan between June and September 2016.

It accuses Uber of breach of contract, unjust enrichment/restitution, fraud by concealment, unfair competition, independent contractor misclassification and failure to pay wages, and labor code violations.

From the suit, which called Uber’s upfront pricing software a “shocking example of an active, extensive, methodical scheme implemented worldwide specifically to defraud drivers”…

Specifically, the Uber Defendants deliberately manipulated the navigation data used in determining the fare amount paid by its users and the amount reported and paid to its drivers.

The lawsuit is anything but surprising. Uber drivers have long called upfront pricing a scam.

A sample comment on Uber People:

Jesusdrivesuber, Thursday at 3:16 PM
Yup, they finally got them.
Stay tuned for the X billion settlement.
Lol, I really do wonder who comes up with these bright ideas, TK the scam master or his minions?

…and from the comments on a YouTube video from @UberManYouTube (Randy Lee Shear):

The suit is looking for back pay and legal fees. It’s also demanding a halt to “the unlawful, deceptive, fraudulent, and unfair business practices”.

Follow @NakedSecurity
Follow @LisaVaas

Image courtesy of Prathan Chorruangsak / Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/2Rcf2i40isg/

Payday lender Wonga has advised 270,000 customers of a data breach and offered inconsistent advice about the severity of the incident and how to respond.

An “incident FAQ” on the company’s site says “We believe there may have been illegal and unauthorised access to the personal data of some of our customers.” The Reg understands 270,000 customers are potentially at risk, 245,000 of them in the UK.

Wonga says the data that parties unknown have accessed “may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.”

The FAQ offers contradictory advice on the incident, offering assurances that “We believe that your account is secure and you do not need to take any action” but also says “if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals.”

The FAQ, and a letter sent to affected customers, also offers the following advice:

Exercise vigilance: Beware of scammers or unusual online activity. Be cautious of anyone who calls you and asks you to disclose any personal information regardless of where they say they are from. If this happens, we recommend that you hang up.

The Register has asked Wonga to clarify why customers need to keep an eye on “unusual activity” if their accounts remain secure and why they might experience inbound scam calls at this time.

Wonga says it is informing customers’ banks of the situation, to help them detect any fraud.

The FAQ also asks the question “How did this happen in the first place and what measures are you taking to ensure that this does not re-occur?” and offers the following as a response:

• We take issues of customer data and security extremely seriously.
• Cyber attacks are, unfortunately, on the rise. While Wonga operates to the highest security standards, these illegal attacks are unfortunately increasingly sophisticated.
• We sincerely apologise for the inconvenience and concern this has caused.

Which The Register rates a masterpiece of evasion and obfuscation, even among the deluges of press releases and non-answers we receive each day.

Wonga charges annual interest rates of 1,509 per cent (yes, one thousand five hundred and nine per cent) for short-term loans designed to tide people over until payday. The company justifies its interest rates on grounds of convenience and value.

The PR people have made contact again hours after this article was published:

“Wonga is urgently investigating illegal and unauthorised access to the personal data of some of its customers in the UK and Poland. We are working closely with authorities and we are in the process of informing affected customers. We sincerely apologise for the inconvenience caused.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/10/wonga_data_breach/